-
Notifications
You must be signed in to change notification settings - Fork 545
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: add dependency information to conan lockfile parser #2131
Conversation
This looks like a great change @Pro! A couple notes: This modifies the Syft JSON, so you'd need to update the JSON schema. Basically: bump the And, you'll need to Sign-off your commits: https://github.com/anchore/syft/blob/main/CONTRIBUTING.md#sign-off-your-work |
Signed-off-by: Stefan Profanter <stefan.profanter@agile-robots.com>
7992376
to
5f3cbc9
Compare
Signed-off-by: Keith Zantow <kzantow@gmail.com>
@kzantow can you please clarify the following for me: The CycloneDX contains this metadata "component": {
"bom-ref": "7ea68ac679dc44fd",
"type": "file",
"name": "conan.lock",
"version": "sha256:sha256:421e3aca902b6310bc89875e13c135843d574a0d01bc399c895fde46ecc16068"
} But if I Upload this bom to DependencyTrack, the Dependency Tree is not properly built. Only if I change the metadata to the following, it is properly shown (i.e. bom-ref should point to a component in the list. "component": {
"bom-ref": "pkg:conan/my_user/mfast@1.2.2?channel=my_channel&package-id=3117859c73631bd1",
"type": "library",
"name": "mfast",
"version": "1.2.2",
} But I can only set name and version via the command line args. What would be the correct way to set this? |
Signed-off-by: Keith Zantow <kzantow@gmail.com>
@Pro are you referring to the Also: I misspoke earlier and the schema change was breaking, so I went ahead and updated it on this PR (and also pushed a very small tweak I think helps readability just a bit) |
@kzantow Thanks! This MR is ready from my side. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the contribution @Pro !
Signed-off-by: Stefan Profanter <stefan.profanter@agile-robots.com>
This MR adds proper dependency parsing from the conan lockfile.
The example output of the conan.lock file included in this MR is: